4 Answers
4

As of 2009, the two most commonly used
cryptographic hash functions are MD5
and SHA-1. However, MD5 has been
broken; an attack against it was used
to break SSL in 2008. The SHA-0 and
SHA-1 hash functions were developed by
the NSA.
In February 2005, a
successful attack on SHA-1 was
reported, finding collisions in about
2^69 hashing operations, rather than
the 2^80 expected for a 160-bit hash
function.
In August 2005, another
successful attack on SHA-1 was
reported, finding collisions in 2^63
operations. Theoretical weaknesses of
SHA-1 exist as well, suggesting that
it may be practical to break within
years.
New applications can avoid
these problems by using more advanced
members of the SHA family, such as
SHA-2, or using techniques such as
randomized hashing that do not require
collision resistance.

The break of MD5 is a collision attack. Collision attacks do not endanger password hashing. Therefore, to the best of my knowledge, MD5 remains fine for password hashing: good enough that I wouldn't rush to change it out from an existing system.
–
D.W.Sep 5 '11 at 18:29

1

In addition, SHA256 and SHA512 are too fast, and should not be used for password storage. Instead, passwords should be hashed with bcrypt, PBKDF2, or scrypt.
–
D.W.Sep 5 '11 at 18:32

Way back in 1978, Robert Morris and Ken Thompson published the Unix "crypt" password scheme with two innovations that are crucial for password hashing: salts and iteration counts. Without a salt, hashes are very vulnerable to hash tables and rainbow tables. Even with a salt, iterations are also needed to prevent very quick brute-forcing of most any password with 8 or fewer characters, to say nothing of simple variations of dictionary words. How long does it take to actually generate rainbow tables?

So please use a real hash designed for passwords - i.e. one that is slow and salted. Some good candidates are:

Rfc2898DeriveBytes Class uses Sha1 as its hashing method. Sha1 has been identified as possible vulnerable to mathematic weaknesses. Does this mean that this class is also undesirable to use?
–
Chris DaleJul 25 '12 at 8:14

@Karrax I haven't heard anyone suggest that the theoretical weaknesses seen in SHA1 (or even the real collision attacks on MD5) would affect its use for repeated hashing like this, so Rfc2898DeriveBytes should be fine. An alternative that uses SHA256 is available in modern crypt.
–
nealmcbJul 26 '12 at 15:52

ok. Wikipedia sais this: "security flaws were identified in SHA-1, namely that a mathematical weakness might exist", but it may not affect this then. Thank you.
–
Chris DaleJul 27 '12 at 6:21

The most important piece of advice is to migrate to an algorithm designed for password hashing: bcrypt, PBKDF2, or scrypt. These algorithms are designed to meet the needs of hashing passwords; for instance, to deter dictionary attacks, they use iteration to ensure that hashing is slow, and to deter amortization attacks, they include a salt in the hash.

There is no need to migrate from MD5 to SHA. You may have heard that MD5 is broken. This is true, but not in a way that endangers MD5 for password hashing. The attacks on MD5 are on its collision resistance. However, MD5's one-wayness is still going strong. For password hashing, all that you need is one-wayness. Therefore, there is no need to migrate from MD5 to another hash like SHA256 or SHA512 (except possibly for "appearances" sake).

So, the most important thing you can do is switch to bcrypt/PBKDF2/scrypt to make dictionary search harder.

See also the following posts with excellent advice about how to hash passwords: